Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
145 lines (103 sloc) 6.45 KB

Quick Start

ShiftLeft is a cloud-based security service that monitors your application in production, based on a runtime agent. The runtime agent's configuration is custom to the version of the application that you protect, as it is informed by code analysis.

Behind the scenes, ShiftLeft works in two steps:

  • Analysis
  • Monitoring in runtime

In its analysis step, ShiftLeft identifies the application's attack surface, its inputs, outputs, categories of data handled, the way the data flows throughout the application and any weaknesses the application might have - like mishandling attacker-controlled data or leaking sensitive variables in plain text.

Informed by the knowledge derived from code analysis, a custom instrumentation called Security Profile for Runtime (SPR) is created and loaded onto a ShiftLeft microagent that runs alongside the application. This informs the microagent on how to instrument the application and how to monitor its specific shape and weaknesses.

ShiftLeft Workflow

The combination of code analysis and runtime monitoring is what gives the application an edge over attackers as the protection provided is very specific to the application itself.

Getting Started

Language Support

For now, ShiftLeft supports Java 7+ and C# 6.0. Other languages are coming soon. For inquiries, please fill out our contact form.

To get started, you will need

Step 1: Download and Install sl - the ShiftLeft CLI

Linux

curl https://www.shiftleft.io/download/sl-latest-linux-x64.tar.gz | tar xvz -C /usr/local/bin

Mac OS X

curl https://www.shiftleft.io/download/sl-latest-osx-x64.tar.gz | tar xvz -C /usr/local/bin

Windows .NET Framework

Invoke-WebRequest -Uri https://www.shiftleft.io/download/installer-dotnet-framework-latest-windows-x64.zip -UseBasicParsing -OutFile sl-latest-windows-x64.zip

Windows .NET Core

Invoke-WebRequest -Uri https://www.shiftleft.io/download/installer-dotnet-core-latest-windows-x64.zip -UseBasicParsing -OutFile sl-latest-windows-x64.zip

Or download and install manually

Verify that the installation worked by typing sl help. See more information about sl on the Using the ShiftLeft CLI page.

Step 2: Authenticate sl

sl auth

or on Windows

sl.exe auth
  • This will prompt for your Organization ID and your Upload Token. You will find this information on the user profile page in the ShiftLeft dashboard
  • An alternative to using sl auth (which stores the credentials to a local file) is setting the environment variables SHIFTLEFT_ORG_ID and SHIFTLEFT_UPLOAD_TOKEN
  • See more information about authentication on the Authenticating with ShiftLeft page

Step 3: Run with Microagent

Microagent support

The instructions below apply to Java only. Microagent support for .NET is coming soon. For inquiries, please fill out our contact form.

In order to start your application with the ShiftLeft Microagent, you need to prefix the command line you use to start your application with sl run.

For example, if your usual command is java -jar target/hello-shiftleft-0.0.1.jar and the packaged application is at target/hello-shiftleft-0.0.1.jar, then you can wrap the command like so:

sl run \
  --app HelloShiftLeft \
  --analyze target/hello-shiftleft-0.0.1.jar \
  -- java -jar target/hello-shiftleft-0.0.1.jar
  • --app <name> specifies a unique name for the application
  • --analyze <jar> points sl to the application's JAR to be analyzed before starting up
  • -- delimits flags from the command to be wrapped. What comes after -- is the command itself that will be run with the ShiftLeft Microagent installed

The first time you run this command for a specific JAR, it will take a few minutes to perform the analysis. Subsequent runs will be fast. You also have the option of pre-analyzing applications so that starting up is always fast.

See more information about installing the Microagent on the Installing the Microagent page or the Configuring the Microagent page.

Step 4: Trigger activity in the application

Once the application is running, you can trigger some activity in your application or expose it to real traffic.

If you are using HelloShiftLeft, you can use the following script as an example:

while true ; do \
curl -s localhost:8081/customers/2 >/dev/null ;\
curl -s localhost:8081/customers/1 >/dev/null ;\
sleep 1 ;\
curl -s localhost:8081/customers/2 >/dev/null ;\
curl -s localhost:8081/customers/1 >/dev/null ;\
sleep 1 ;\
curl -s localhost:8081/customers/1 >/dev/null ;\
curl -s localhost:8081/customers/1 >/dev/null ;\
sleep 1 ;\
curl -s localhost:8081/customers >/dev/null ;\
curl -s localhost:8081/saveSettings >/dev/null ;\
sleep 1 ;\
curl -s localhost:8081/customers >/dev/null ;\
sleep 1 ;\
curl -s localhost:8081/ >/dev/null ;\
curl -s localhost:8081/account/1 >/dev/null ;\
curl -s localhost:8081/account >/dev/null ;\
curl -s localhost:8081/account/2 >/dev/null ;\
curl -s localhost:8081/account >/dev/null ;\
curl -s localhost:8081/account/3 >/dev/null ;\
curl -s localhost:8081/account/3 >/dev/null ;\
curl -s localhost:8081/account/4 >/dev/null ;\
curl -s localhost:8081/account/5 >/dev/null ;\
curl -s localhost:8081/account/5 >/dev/null ;\
curl -s localhost:8081/account/5 >/dev/null ;\
curl -s localhost:8081/off >/dev/null ;\
sleep 1 ;\
done

Open the ShiftLeft Dashboard to see activity.